Hi,
In the iptables status output you sent below, you have TCP as the protocol. I think that should be UDP. Our iptables status' output reads like this: ... Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT udp -- w.x.y.z 0.0.0.0/0 udp dpt:5060 to:a.b.c.d:5080 ... Can you please dblcheck if you have UDP in the /etc/sysconfig/iptables file? BR, Chris ________________________________ From: Michael Scheidell [mailto:michael.scheid...@secnap.com] Sent: Friday, August 20, 2010 1:19 PM To: Sven Evensen Cc: sipx-users@list.sipfoundry.org Subject: Re: [sipx-users] iptables experts: port forwarding. noop, that didn't do it. remember, this is behind a firewall already, iptables isn't doing natting. ran system-config-securitylevel-tui enabled firewall. edited /etc/sysconfig/iptables to be what you had (ip's changed) restarted iptables: /etc/init.d/iptables restart /etc/init.d/iptables status shows: (i changed to tcp so I could test with telnet) /etc/init.d/iptables status Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- xxx.xxx.xxx.36 0.0.0.0/0 tcp dpt:5060 to:192.168.0.2:5080 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination on external host, did a telnet to public ip port 5060: /usr/sbin/tshark -tad -s1500 -n -p host xxx.xxx.xxx.36 2010-08-20 08:11:33.587745 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532 > 5060 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=1337361266 TSER=0 2010-08-20 08:11:33.587807 192.168.0.2 -> xxx.xxx.xxx.36 TCP 5060 > 51532 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1084756872 TSER=1337361266 WS=7 2010-08-20 08:11:33.624719 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532 > 5060 [ACK] Seq=1 Ack=1 Win=66608 Len=0 TSV=1337361298 TSER=1084756872 On 8/20/10 5:24 AM, Sven Evensen wrote: We use iptables on several of our machines to overcome the fact that ITSP cannot send on 5060, works perfectly. Here is our setup: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p udp --dport 5060 -s 217.37.32.162 -i eth+ -j DNAT --to 10.227.122.31:5080 COMMIT ________________________________ From: sipx-users-boun...@list.sipfoundry.org [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Tony Graziano Sent: 20 August 2010 08:18 To: Michael Scheidell Cc: sipx-users@list.sipfoundry.org users Subject: Re: [sipx-users] iptables experts: port forwarding. The startup scriptfor sipx checks to see if iptables is running, because it is automatically "problematic" if it is... On Thu, Aug 19, 2010 at 11:14 PM, Michael Scheidell <michael.scheid...@secnap.com> wrote: It just occurred to me that sipx on centos has iptables. maybe not active, but its got it. can I use iptables, internally, without involving natting to do selective port forwarding. example: private ip address of 192.168.0.2 sipx.secnap.com. public ip of ITSP: 4.2.2.2 I want to do something like this: if traffic comes in from source ip 4.2.2.2 to 192.168.0.2:5060 redirect it to 192.168.0.2:5080 (assuming that the original firewall did the natting. pretend here isn't one) all other traffic to 192.168.0.2:5060 goes to 192.168.0.2:5080 all traffic to 192.168.0.2:5080 goes to 192.168.0.2:5080. pretend I know lots about freebsd and ipfw and just tonight figures out how to type 'iptables --list' eg: tutor me. I am thinking that if this can be done, it might make life easier for people like me and mitchel who can't get the ITSP to send to port 5080. before I take m live phone system offline, look here, several paragraphs down: <http://www.linuxquestions.org/questions/linux-networking-3/iptables-por t-forwarding-599401/> <http://www.linuxquestions.org/questions/linux-networking-3/iptables-por t-forwarding-599401/> they do something like this: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port* iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source *router_ip* so, echo 1 > /proc/sys/net/ipv4/ip_forward (might not be needed) but iptables -t nat -A PREROUTING -p tcp -s 4.2.2.2 -d localhost --dport 5060 -j DNAT to localhost:5080 -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 > | SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ________________________________ _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/ -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: tgrazi...@voice.myitdepartment.net Fax: 434.984.8431 Email: tgrazi...@myitdepartment.net LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: helpd...@voice.myitdepartment.net Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ Why do mathematicians always confuse Halloween and Christmas? Because 31 Oct = 25 Dec. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 > | SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ________________________________
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/
